From 9d3c5d14d98f2f704966aca3448a803f1e9f5315 Mon Sep 17 00:00:00 2001
From: Liz Long <104389055+lizgt2000@users.noreply.github.com>
Date: Tue, 3 Jan 2023 14:36:23 -0500
Subject: [PATCH] localusersandgroups lockdown lsa

---
 .../mdm/policy-csp-localusersandgroups.md     | 252 +++++++++---------
 .../mdm/policy-csp-lockdown.md                | 136 +++++-----
 .../client-management/mdm/policy-csp-lsa.md   | 214 +++++++++------
 3 files changed, 332 insertions(+), 270 deletions(-)

diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md
index 10e2076e07..3829efc9fb 100644
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@@ -1,65 +1,139 @@
 ---
-title: Policy CSP - LocalUsersAndGroups
-description: Policy CSP - LocalUsersAndGroups
+title: LocalUsersAndGroups Policy CSP
+description: Learn more about the LocalUsersAndGroups Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 01/03/2023
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 10/14/2020
-ms.reviewer: 
-manager: aaroncz
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- LocalUsersAndGroups-Begin -->
 # Policy CSP - LocalUsersAndGroups
 
-<hr/>
+<!-- LocalUsersAndGroups-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- LocalUsersAndGroups-Editable-End -->
 
-<!--Policies-->
-## LocalUsersAndGroups policies
+<!-- Configure-Begin -->
+## Configure
 
-<dl>
-  <dd>
-    <a href="#localusersandgroups-configure">LocalUsersAndGroups/Configure</a>
-  </dd>
-</dl>
+<!-- Configure-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2009 [10.0.19042] and later |
+<!-- Configure-Applicability-End -->
 
-<hr/>
+<!-- Configure-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
+```
+<!-- Configure-OmaUri-End -->
 
-<!--Policy-->
-<a href="" id="localusersandgroups-configure"></a>**LocalUsersAndGroups/Configure**
+<!-- Configure-Description-Begin -->
+<!-- Description-Source-DDF -->
+This Setting allows an administrator to manage local groups on a Device. Possible settings: 1. Update Group Membership: Update a group and add and/or remove members though the 'U' action. When using Update, existing group members that are not specified in the policy remain untouched. 2. Replace Group Membership: Restrict a group by replacing group membership through the 'R' action. When using Replace, existing group membership is replaced by the list of members specified in the add member section. This option works in the same way as a Restricted Group and any group members that are not specified in the policy are removed.
 
-<!--SupportedSKUs-->
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device.
+> [!CAUTION]
+> If the same group is configured with both Replace and Update, then Replace will win.
+<!-- Configure-Description-End -->
 
+<!-- Configure-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 > [!NOTE]
 > The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
 >
 > Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
+<!-- Configure-Editable-End -->
+
+<!-- Configure-DFProperties-Begin -->
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- Configure-DFProperties-End -->
+
+<!-- Configure-AllowedValues-Begin -->
+**Allowed values**:
+
+<br>
+<details>
+  <summary>Expand to see schema XML</summary>
+
+```xml
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
+  <xs:simpleType name="name">
+    <xs:restriction base="xs:string">
+      <xs:maxLength value="255" />
+    </xs:restriction>
+  </xs:simpleType>
+  <xs:element name="accessgroup">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element name="group" minOccurs="1" maxOccurs="1">
+          <xs:annotation>
+            <xs:documentation>Group Configuration Action</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:attribute name="action" type="name" use="required" />
+          </xs:complexType>
+        </xs:element>
+        <xs:element name="add" minOccurs="0" maxOccurs="unbounded">
+          <xs:annotation>
+            <xs:documentation>Group Member to Add</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:attribute name="member" type="name" use="required" />
+          </xs:complexType>
+        </xs:element>
+        <xs:element name="remove" minOccurs="0" maxOccurs="unbounded">
+          <xs:annotation>
+            <xs:documentation>Group Member to Remove</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:attribute name="member" type="name" use="required" />
+          </xs:complexType>
+        </xs:element>
+        <xs:element name="property" minOccurs="0" maxOccurs="unbounded">
+          <xs:annotation>
+            <xs:documentation>Group property to configure</xs:documentation>
+          </xs:annotation>
+          <xs:complexType>
+            <xs:attribute name="desc" type="name" use="required" />
+            <xs:attribute name="value" type="name" use="required" />
+          </xs:complexType>
+        </xs:element>
+      </xs:sequence>
+      <xs:attribute name="desc" type="name" use="required" />
+    </xs:complexType>
+  </xs:element>
+  <xs:element name="GroupConfiguration">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element name="accessgroup" minOccurs="0" maxOccurs="unbounded">
+          <xs:annotation>
+            <xs:documentation>Local Group Configuration</xs:documentation>
+          </xs:annotation>
+        </xs:element>
+      </xs:sequence>
+    </xs:complexType>
+  </xs:element>
+</xs:schema>
+```
+
+</details>
+<!-- Configure-AllowedValues-End -->
+
+<!-- Configure-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+**Example**:
 
 Here is an example of the policy definition XML for group configuration:
 
@@ -95,14 +169,10 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura
 > - `<remove member>` is not valid for the R (Restrict) action and will be ignored if present.
 > - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present.
 
-<!--/Description-->
-<!--SupportedValues-->
-<!--/SupportedValues-->
-<!--Example-->
 
 **Examples**
 
-Example 1: Azure Active Directory focused.
+**Example 1**: Azure Active Directory focused.
 
 The following example updates the built-in administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** with an Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
 
@@ -116,12 +186,13 @@ The following example updates the built-in administrators group with the SID **S
 </GroupConfiguration>
 ```
 
-Example 2: Replace / Restrict the built-in administrators group with an Azure AD user account.
+**Example 2**: Replace / Restrict the built-in administrators group with an Azure AD user account.
 
 > [!NOTE]
 > When using the ‘R’ replace option to configure the built-in Administrators group with the SID **S-1-5-21-2222222222-3333333333-4444444444-500** you should always specify the administrator as a member plus any other custom members. This is necessary because the built-in administrator must always be a member of the administrators group.
 
-Example:
+**Example**:
+
 ```xml
 <GroupConfiguration>
     <accessgroup desc = "S-1-5-21-2222222222-3333333333-4444444444-500">
@@ -132,7 +203,7 @@ Example:
 </GroupConfiguration>
 ```
 
-Example 3: Update action for adding and removing group members on a hybrid joined machine.
+**Example 3**: Update action for adding and removing group members on a hybrid joined machine.
 
 The following example shows how you can update a local group (**Administrators** with the SID **S-1-5-21-2222222222-3333333333-4444444444-500**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add an Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
 
@@ -147,13 +218,6 @@ The following example shows how you can update a local group (**Administrators**
 </GroupConfiguration>
 ```
 
-<!--/Example-->
-<!--Validation-->
-
-<!--/Validation-->
-<!--/Policy-->
-<hr/>
-
 > [!NOTE]
 >
 > When Azure Active Directory group SID’s are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
@@ -233,70 +297,16 @@ To troubleshoot Name/SID lookup APIs:
 
     Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x0 -Type dword -Force
     ```
+<!-- Configure-Examples-End -->
 
-```xml
-<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
-  <xs:simpleType name="name">
-    <xs:restriction base="xs:string">
-      <xs:maxLength value="255" />
-    </xs:restriction>
-  </xs:simpleType>
-  <xs:element name="accessgroup">
-    <xs:complexType>
-        <xs:sequence>
-            <xs:element name="group" minOccurs="1" maxOccurs="1">
-              <xs:annotation>
-                <xs:documentation>Group Configuration Action</xs:documentation>
-              </xs:annotation>
-              <xs:complexType>
-                <xs:attribute name="action" type="name" use="required"/>
-              </xs:complexType>
-            </xs:element>
-            <xs:element name="add" minOccurs="0" maxOccurs="unbounded">
-              <xs:annotation>
-                <xs:documentation>Group Member to Add</xs:documentation>
-              </xs:annotation>
-              <xs:complexType>
-                <xs:attribute name="member" type="name" use="required"/>
-              </xs:complexType>
-            </xs:element>
-            <xs:element name="remove" minOccurs="0" maxOccurs="unbounded">
-              <xs:annotation>
-                <xs:documentation>Group Member to Remove</xs:documentation>
-              </xs:annotation>
-              <xs:complexType>
-                <xs:attribute name="member" type="name" use="required"/>
-              </xs:complexType>
-            </xs:element>
-            <xs:element name="property" minOccurs="0" maxOccurs="unbounded">
-              <xs:annotation>
-                <xs:documentation>Group property to configure</xs:documentation>
-              </xs:annotation>
-              <xs:complexType>
-                <xs:attribute name="desc" type="name" use="required"/>
-                <xs:attribute name="value" type="name" use="required"/>
-              </xs:complexType>
-            </xs:element>
-          </xs:sequence>
-      <xs:attribute name="desc" type="name" use="required"/>
-    </xs:complexType>
-  </xs:element>
-  <xs:element name="GroupConfiguration">
-    <xs:complexType>
-      <xs:sequence>
-        <xs:element name="accessgroup" minOccurs="0" maxOccurs="unbounded">
-          <xs:annotation>
-      <xs:documentation>Local Group Configuration</xs:documentation>
-    </xs:annotation>
-        </xs:element>
-      </xs:sequence>
-    </xs:complexType>
-  </xs:element>
-</xs:schema>
-```
+<!-- Configure-End -->
 
-<!--/Policies-->
+<!-- LocalUsersAndGroups-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- LocalUsersAndGroups-CspMoreInfo-End -->
 
-## Related topics
+<!-- LocalUsersAndGroups-End -->
+
+## Related articles
 
 [Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index fd60ffcbaa..743e929abc 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -1,84 +1,98 @@
 ---
-title: Policy CSP - LockDown
-description: Use the Policy CSP - LockDown setting to allow the user to invoke any system user interface by swiping in from any screen edge using touch.
+title: LockDown Policy CSP
+description: Learn more about the LockDown Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
 ms.author: vinpa
-ms.topic: article
+ms.date: 01/03/2023
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 09/27/2019
-ms.reviewer: 
-manager: aaroncz
+ms.topic: reference
 ---
 
+<!-- Auto-Generated CSP Document -->
+
+<!-- LockDown-Begin -->
 # Policy CSP - LockDown
 
-<hr/>
+<!-- LockDown-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- LockDown-Editable-End -->
 
-<!--Policies-->
-## LockDown policies
+<!-- AllowEdgeSwipe-Begin -->
+## AllowEdgeSwipe
 
-<dl>
-  <dd>
-    <a href="#lockdown-allowedgeswipe">LockDown/AllowEdgeSwipe</a>
-  </dd>
-</dl>
+<!-- AllowEdgeSwipe-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
+<!-- AllowEdgeSwipe-Applicability-End -->
 
-<hr/>
+<!-- AllowEdgeSwipe-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LockDown/AllowEdgeSwipe
+```
+<!-- AllowEdgeSwipe-OmaUri-End -->
 
-<!--Policy-->
-<a href="" id="lockdown-allowedgeswipe"></a>**LockDown/AllowEdgeSwipe**
+<!-- AllowEdgeSwipe-Description-Begin -->
+<!-- Description-Source-ADMX -->
+If you disable this policy setting, users will not be able to invoke any system UI by swiping in from any screen edge.
 
-<!--SupportedSKUs-->
+If you enable or do not configure this policy setting, users will be able to invoke system UI by swiping in from the screen edges.
+<!-- AllowEdgeSwipe-Description-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-<!--/SupportedSKUs-->
-<hr/>
-
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Allows the user to invoke any system user interface by swiping in from any screen edge using touch.
+<!-- AllowEdgeSwipe-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
 
 The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied, and then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange, that will also be disabled.
+<!-- AllowEdgeSwipe-Editable-End -->
 
-<!--/Description-->
-<!--ADMXMapped-->
-ADMX Info:
--   GP Friendly name: *Allow edge swipe*
--   GP name: *AllowEdgeSwipe*
--   GP path: *Windows Components/Edge UI*
--   GP ADMX file name: *EdgeUI.admx*
+<!-- AllowEdgeSwipe-DFProperties-Begin -->
+**Description framework properties**:
 
-<!--/ADMXMapped-->
-<!--SupportedValues-->
-The following list shows the supported values:
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 1 |
+<!-- AllowEdgeSwipe-DFProperties-End -->
 
--   0 - disallow edge swipe.
--   1 (default, not configured) - allow edge swipe.
+<!-- AllowEdgeSwipe-AllowedValues-Begin -->
+**Allowed values**:
 
-<!--/SupportedValues-->
-<!--/Policy-->
-<hr/>
+| Value | Description |
+|:--|:--|
+| 0 | Disallow edge swipe. |
+| 1 (Default) | Allow edge swipe. |
+<!-- AllowEdgeSwipe-AllowedValues-End -->
 
-<!--/Policies-->
+<!-- AllowEdgeSwipe-GpMapping-Begin -->
+**Group policy mapping**:
 
-## Related topics
+| Name | Value |
+|:--|:--|
+| Name | AllowEdgeSwipe |
+| Friendly Name | Allow edge swipe |
+| Location | Computer and User Configuration |
+| Path | Windows Components > Edge UI |
+| Registry Key Name | Software\Policies\Microsoft\Windows\EdgeUI |
+| Registry Value Name | AllowEdgeSwipe |
+| ADMX File Name | EdgeUI.admx |
+<!-- AllowEdgeSwipe-GpMapping-End -->
 
-[Policy configuration service provider](policy-configuration-service-provider.md)
\ No newline at end of file
+<!-- AllowEdgeSwipe-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowEdgeSwipe-Examples-End -->
+
+<!-- AllowEdgeSwipe-End -->
+
+<!-- LockDown-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- LockDown-CspMoreInfo-End -->
+
+<!-- LockDown-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-lsa.md b/windows/client-management/mdm/policy-csp-lsa.md
index 89702a9f64..23573031f7 100644
--- a/windows/client-management/mdm/policy-csp-lsa.md
+++ b/windows/client-management/mdm/policy-csp-lsa.md
@@ -1,131 +1,169 @@
 ---
-title: Policy CSP - LocalSecurityAuthority
-description: Use the LocalSecurityAuthority CSP to configure policies for the Windows Local Security Authority Subsystem Service (LSASS).
-ms.author: vinpa
+title: LocalSecurityAuthority Policy CSP
+description: Learn more about the LocalSecurityAuthority Area in Policy CSP
 author: vinaypamnani-msft
-ms.reviewer: 
 manager: aaroncz
-ms.topic: reference
+ms.author: vinpa
+ms.date: 01/03/2023
+ms.localizationpriority: medium
 ms.prod: windows-client
 ms.technology: itpro-manage
-ms.localizationpriority: medium
-ms.date: 08/26/2022
+ms.topic: reference
 ---
 
-# Policy CSP - LocalSecurity Authority
+<!-- Auto-Generated CSP Document -->
 
-
-<hr/>
-
-<!--Policies-->
-## LocalSecurityAuthority policies
-
-<dl>
-  <dd>
-    <a href="#localsecurityauthority-allowcustomsspsaps">LocalSecurityAuthority/AllowCustomSSPsAPs</a>
-  </dd>
-  <dd>
-    <a href="#localsecurityauthority-configurelsaprotectedprocess">LocalSecurityAuthority/ConfigureLsaProtectedProcess</a>
-  </dd>
-</dl>
+<!-- LocalSecurityAuthority-Begin -->
+# Policy CSP - LocalSecurityAuthority
 
 > [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 >
-> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 >
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it.  For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
+<!-- LocalSecurityAuthority-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- LocalSecurityAuthority-Editable-End -->
 
-<hr/>
+<!-- AllowCustomSSPsAPs-Begin -->
+## AllowCustomSSPsAPs
 
-<!--Policy-->
-<a href="" id="localsecurityauthority-allowcustomsspsaps"></a>**LocalSecurityAuthority/AllowCustomSSPsAPs**
+<!-- AllowCustomSSPsAPs-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+<!-- AllowCustomSSPsAPs-Applicability-End -->
 
-<!--SupportedSKUs-->
+<!-- AllowCustomSSPsAPs-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/AllowCustomSSPsAPs
+```
+<!-- AllowCustomSSPsAPs-OmaUri-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- AllowCustomSSPsAPs-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy controls the configuration under which LSASS loads custom SSPs and APs.
 
-<!--/SupportedSKUs-->
-<hr/>
+If you enable this setting or do not configure it, LSA allows custom SSPs and APs to be loaded.
 
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+If you disable this setting, LSA does not load custom SSPs and APs.
+<!-- AllowCustomSSPsAPs-Description-End -->
 
-> [!div class = "checklist"]
-> * Device
+<!-- AllowCustomSSPsAPs-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- AllowCustomSSPsAPs-Editable-End -->
 
-<hr/>
+<!-- AllowCustomSSPsAPs-DFProperties-Begin -->
+**Description framework properties**:
 
-<!--/Scope-->
-<!--Description-->
-This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs).
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+<!-- AllowCustomSSPsAPs-DFProperties-End -->
 
-If you enable this policy setting or don't configure it, LSASS will allow loading of custom SSPs and APs.
+<!-- AllowCustomSSPsAPs-AdmxBacked-Begin -->
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 
-If you disable this policy setting, LSASS will block custom SSPs and APs from loading.
+**ADMX mapping**:
 
-<!--/Description-->
+| Name | Value |
+|:--|:--|
+| Name | AllowCustomSSPsAPs |
+| Friendly Name | Allow Custom SSPs and APs to be loaded into LSASS |
+| Location | Computer Configuration |
+| Path | System > Local Security Authority |
+| Registry Key Name | Software\Policies\Microsoft\Windows\System |
+| Registry Value Name | AllowCustomSSPsAPs |
+| ADMX File Name | LocalSecurityAuthority.admx |
+<!-- AllowCustomSSPsAPs-AdmxBacked-End -->
 
-<!--ADMXBacked-->
-ADMX Info:
--   GP Friendly name: *Allow Custom SSPs and APs to be loaded into LSASS*
--   GP name: *AllowCustomSSPsAPs*
--   GP path: *System/Local Security Authority*
--   GP ADMX file name: *LocalSecurityAuthority.admx*
+<!-- AllowCustomSSPsAPs-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- AllowCustomSSPsAPs-Examples-End -->
 
-<!--/ADMXBacked-->
-<!--/Policy-->
+<!-- AllowCustomSSPsAPs-End -->
 
-<hr/>
+<!-- ConfigureLsaProtectedProcess-Begin -->
+## ConfigureLsaProtectedProcess
 
-<!--Policy-->
-<a href="" id="localsecurityauthority-configurelsaprotectedprocess"></a>**Kerberos/ConfigureLsaProtectedProcess**
+<!-- ConfigureLsaProtectedProcess-Applicability-Begin -->
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
+<!-- ConfigureLsaProtectedProcess-Applicability-End -->
 
-<!--SupportedSKUs-->
+<!-- ConfigureLsaProtectedProcess-OmaUri-Begin -->
+```Device
+./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/ConfigureLsaProtectedProcess
+```
+<!-- ConfigureLsaProtectedProcess-OmaUri-End -->
 
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+<!-- ConfigureLsaProtectedProcess-Description-Begin -->
+<!-- Description-Source-ADMX -->
+This policy controls the configuration under which LSASS is run.
 
-<!--/SupportedSKUs-->
-<hr/>
+If you do not configure this policy and there is no current setting in the registry, LSA will run as protected process for clean installed, HVCI capable, client SKUs that are domain or cloud domain joined devices. This configuration is not UEFI locked. This can be overridden if the policy is configured.
 
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+If you configure and set this policy setting to "Disabled", LSA will not run as a protected process.
 
-> [!div class = "checklist"]
-> * Device
+If you configure and set this policy setting to "EnabledWithUEFILock," LSA will run as a protected process and this configuration is UEFI locked.
 
-<hr/>
+If you configure and set this policy setting to "EnabledWithoutUEFILock", LSA will run as a protected process and this configuration is not UEFI locked.
+<!-- ConfigureLsaProtectedProcess-Description-End -->
 
-<!--/Scope-->
-<!--Description-->
-This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process.
+<!-- ConfigureLsaProtectedProcess-Editable-Begin -->
+<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
+<!-- ConfigureLsaProtectedProcess-Editable-End -->
 
-If you disable (0) or don't configure this policy setting, LSASS won't run as a protected process.
+<!-- ConfigureLsaProtectedProcess-DFProperties-Begin -->
+**Description framework properties**:
 
-If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable.
+| Property name | Property value |
+|:--|:--|
+| Format | int |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value  | 0 |
+<!-- ConfigureLsaProtectedProcess-DFProperties-End -->
 
-If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting won't be stored in a UEFI variable.
+<!-- ConfigureLsaProtectedProcess-AllowedValues-Begin -->
+**Allowed values**:
 
-<!--/Description-->
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Disabled. Default value. LSA will not run as protected process. |
+| 1 | Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked. |
+| 2 | Enabled without UEFI lock. LSA will run as protected process and this configuration is not UEFI locked. |
+<!-- ConfigureLsaProtectedProcess-AllowedValues-End -->
 
-<!--ADMXBacked-->
-ADMX Info:
--   GP Friendly name: *Configure LSASS to run as a protected process*
--   GP name: *ConfigureLsaProtectedProcess*
--   GP path: *System/Local Security Authority*
--   GP ADMX file name: *LocalSecurityAuthority.admx*
+<!-- ConfigureLsaProtectedProcess-GpMapping-Begin -->
+**Group policy mapping**:
 
-<!--/ADMXBacked-->
+| Name | Value |
+|:--|:--|
+| Name | ConfigureLsaProtectedProcess |
+| Friendly Name | Configures LSASS to run as a protected process |
+| Location | Computer Configuration |
+| Path | System > Local Security Authority |
+| Registry Key Name | System\CurrentControlSet\Control\Lsa |
+| ADMX File Name | LocalSecurityAuthority.admx |
+<!-- ConfigureLsaProtectedProcess-GpMapping-End -->
+
+<!-- ConfigureLsaProtectedProcess-Examples-Begin -->
+<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
+<!-- ConfigureLsaProtectedProcess-Examples-End -->
+
+<!-- ConfigureLsaProtectedProcess-End -->
+
+<!-- LocalSecurityAuthority-CspMoreInfo-Begin -->
+<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
+<!-- LocalSecurityAuthority-CspMoreInfo-End -->
+
+<!-- LocalSecurityAuthority-End -->
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)